Blog

The Rise of the Rural MSSP: Can Tailored Security Models Solve the Small Utility Budget Crisis?

New MSSP Model Targets Rural Water Utility Cybersecurity

TL;DR

  • A new, scalable Managed Security Service Provider (MSSP) model is launching to provide affordable, continuous cybersecurity protection for the thousands of underfunded rural water utilities nationwide.
  • This formalized service transitions the successful, but non-scalable, DEF CON Franklin cyber volunteer effort, ensuring 24/7 threat detection, incident response, and vulnerability management.
  • The MSSP focuses on critical infrastructure protection by monitoring Operational Technology (OT) and providing essential compliance support for evolving EPA mandates.
  • Key institutional support comes from the National Rural Water Association (NRWA), the University of Chicago’s Harris Cyber Policy Initiative (CPI), and experts like Jake Braun and Tarah Wheeler.

Table of Contents

A first-of-its-kind managed security service provider (MSSP) model is launching to address significant cybersecurity vulnerabilities facing rural water utilities across the United States.

The initiative transitions the successful cyber volunteer effort of DEF CON Franklin into a formal, scalable framework. This MSSP model is specifically designed to provide continuous cybersecurity expertise and threat detection previously unavailable to small water utilities due to severe budget constraints.

Spearheading the effort are key figures from the volunteer community, including Jake Braun, Executive Director of the University of Chicago’s Harris Cyber Policy Initiative (CPI), and expert Tarah Wheeler.

Their goal is to democratize high-level critical infrastructure protection for the thousands of underfunded water systems nationwide.

The transition provides a scalable solution against increasing attacks by cybercriminals and sophisticated nation state groups targeting essential services. The focus is on affordable cybersecurity services, incident response, and continuous monitoring for security threats.

Industry analysts view this as a vital step toward securing drinking water safety and providing necessary compliance support for systems often lacking internal security staff. The structure aims to meet the growing need for protection highlighted by recent warnings from the Environmental Protection Agency (EPA).

This service is expected to work closely with organizations like the National Rural Water Association (NRWA) to ensure broad adoption among eligible small water utilities.

Expert Insight

“There are another 49,000 water utilities that do not support military bases and still need to improve their cybersecurity because they either don’t have the staff, or the resources, to protect themselves,”, Jake Braun, Executive Director of the Cyber Policy Initiative

The Necessity of Continuous Cybersecurity: Scaling the MSSP Model

The shift from a successful cyber volunteer effort to a professional managed security service (MSSP) structure was necessitated by the sheer scale of the national threat landscape. While the initial DEF CON Franklin model demonstrated success in pilot programs across states including Arizona, Idaho, Indiana, Oregon, Utah, and Vermont, the volunteer framework proved impossible to scale effectively.

The challenge lies in providing continuous cybersecurity coverage for the more than 50,000 water utility systems nationwide. Volunteer time cannot provide the 24/7 monitoring required for true critical infrastructure protection.

Jake Braun, co-founder of DEF CON Franklin and a former senior cybersecurity official affiliated with the University of Chicago’s Harris Cyber Policy Initiative (CPI), explained the limitations of the previous approach.

The volunteer model was essential for understanding the unique operational realities of small water utilities, but it does not provide the continuous cybersecurity needed to counter sophisticated, persistent threats. We needed a professional, shared, and affordable framework that offers true cybersecurity expertise.

Mr. Braun confirmed this assessment in an interview with Recorded Future News. The initiative, which also features leadership from experts like Tarah Wheeler, leverages shared resources and centralized threat intelligence to dramatically lower the per-utility cost.

The new MSSP model is designed to provide enterprise-level protection against cyberattacks water systems face daily, without requiring an associated enterprise budget. The framework also closely coordinates with efforts like the Water Watch Center to share relevant threat data.

Democratizing High-Level Security for Rural Water Utilities

The core goal of the rural MSSP model is to offer high-quality threat detection and incident response services at a fraction of the cost large municipalities typically pay. By aggregating the security needs of multiple water utilities, the service achieves vital economies of scale.

This democratization of security is critical for small water utilities operating on thin margins. It also directly addresses a persistent regulatory gap concerning compliance support.

The Environmental Protection Agency (EPA) has previously indicated that a high percentage of inspected water systems fail basic cybersecurity standards. This gap leaves drinking water safety at risk from organized cybercriminals and nation state groups.

Organizations like the National Rural Water Association (NRWA) have stressed the urgent need for accessible cybersecurity services. The financial structure of the MSSP model aims to make security accessible, moving it from a prohibitive capital expenditure to an affordable operational expense.

The MSSP Model: Scope and Technical Design for Rural Water Utilities

The new Managed security service provider (MSSP) framework directly addresses the technical challenges faced by small water utilities. The model, partially derived from lessons learned during the initial DEF CON Franklin volunteer efforts, focuses heavily on rapid response and proactive monitoring of pressure management and Operational Technology (OT) environments.

Crucially, the MSSP design integrates seamlessly with the existing, often outdated, technology used by rural water utilities. Providers recognize that mass hardware upgrades are not feasible given current budget constraints. The goal is to maximize critical infrastructure protection using current assets.

According to a spokesperson for the initiative, the scope of cybersecurity services is designed to provide comprehensive, continuous cybersecurity coverage similar to that offered to larger metropolitan systems. These core offerings prioritize immediate threat mitigation and regulatory adherence.

The key services offered to water utilities cybersecurity clients include:

  • 24/7 threat detection and monitoring for security threats and abnormal network activity.
  • Real-time threat intelligence tailored specifically to the water sector, informed by data from groups like the Water Watch Center.
  • Vulnerability management and system patching support.
  • Automated incident response protocols and recovery planning, critical for maintaining drinking water safety.
  • Dedicated compliance support for evolving Environmental Protection Agency (EPA) and federal mandates affecting critical infrastructure protection.
  • Protection against sophisticated nation state groups and common cybercriminals targeting utility control systems.

This layered approach provides robust security protection for water utilities against both advanced persistent threats and opportunistic cybercriminals.

Jake Braun, a key figure in the initial cyber volunteer effort, noted that this MSSP model ensures high-level cybersecurity expertise is no longer restricted to large, well-funded systems. The goal is to democratize continuous cybersecurity for every member of the National Rural Water Association (NRWA).

Institutional Support and Key Personnel for the New MSSP Model

The transition from the DEF CON Franklin cyber volunteer effort to a formalized, sustainable Managed security service provider (MSSP) model requires significant institutional backing and expert leadership.

This support ensures the technical rigor and long-term viability needed for critical infrastructure protection across the United States.

Collaboration with the National Rural Water Association (NRWA)

The initiative has formalized a critical partnership with the National Rural Water Association (NRWA).

The NRWA provides extensive technical assistance to thousands of small water utilities. This collaboration is essential for ensuring the MSSP model is practical, field-tested, and easily deployable.

This partnership is crucial for extending high-level cybersecurity expertise and cybersecurity services to remote locations often ignored by traditional IT vendors.

Academic Guidance and Key Research

Model refinement and advanced policy development are anchored at the University of Chicago, specifically through the Harris Cyber Policy Initiative (CPI).

Cybersecurity leader and researcher Tarah Wheeler has joined the initiative as a Senior Fellow. Ms. Wheeler is directing research to guide the development of this scalable framework.

Jake Braun, a principal organizer of the original DEF CON Franklin effort, emphasized the need for this academic rigor. The research ensures the framework meets evolving policy demands and anticipates threats from both nation state groups and cybercriminals.

The CPI guidance is vital for building robust compliance support and effective threat detection strategies that align with requirements set by the Environmental Protection Agency (EPA).

Financial Stability and Operational Hub

To stabilize the transition from a purely voluntary structure to a business model focused on continuous cybersecurity, crucial philanthropic support has been secured.

Philanthropist Craig Newmark, founder of Craigslist, is among the notable figures providing initial developmental funding.

This financial backing is stabilizing the initiative, allowing it to provide long-term security solutions rather than relying solely on periodic volunteer efforts.

The funding is directly supporting the establishment of the Water Watch Center. This center will serve as the operational hub for the new Managed security service, coordinating incident response and distributing vital threat intelligence to subscribing rural water utilities.

Analysis of Cybersecurity Services Models

The establishment of a formal Managed Security Service Provider (MSSP) model represents a necessary evolution in critical infrastructure protection for rural water utilities.

The initial DEF CON Franklin cyber volunteer effort provided crucial vulnerability identification and immediate relief. However, that model lacked the scalability and guaranteed service required for continuous cybersecurity.

This shift ensures that small water utilities receive professional, long-term support rather than relying solely on pro bono labor.

The new MSSP structure, backed by the National Rural Water Association (NRWA), is specifically designed to democratize high-level cybersecurity expertise previously unavailable to underfunded systems across the United States.

Volunteer vs. Formalized MSSP: Key Differences

The distinction between the pilot program and the new MSSP model lies in sustainability and scope. While the pilot focused on immediate remediation of existing risks, the formalized service focuses on proactive threat detection and compliance support.

Comparison: Cyber Volunteer Effort vs. New MSSP Model
Feature Volunteer Model (DEF CON Franklin Pilot) New MSSP Model (2026)
Goal Initial assessment, vulnerability identification, and hands-on remediation. Continuous cybersecurity, proactive monitoring, and managed risk mitigation.
Scalability Limited, difficult to expand beyond small geographic regions in the United States. High, designed for rapid deployment across the entire NRWA network.
Cost Structure Free (pro bono labor). Affordable subscription fee based on aggregated, shared infrastructure costs.
Service Focus Network mapping and basic training against cyberattacks water systems. Threat detection, rapid incident response, and compliance support.

The Shift to Continuous Cybersecurity and Compliance

The primary advantage of the new MSSP model is the introduction of continuous cybersecurity monitoring. This capability moves systems beyond basic patching to active defense against sophisticated cybercriminals and nation state groups.

Experts involved in the transition, including Jake Braun and Tarah Wheeler, emphasize that formalizing the MSSP ensures access to dedicated threat intelligence.

This intelligence feeds directly into the Water Watch Center operations, allowing for rapid deployment of countermeasures when zero-day vulnerabilities or new cyberattacks water systems are identified.

For rural water utilities, the cost structure is critical. The model aggregates the cost of high-end cybersecurity expertise and technology across many small water utilities.

This approach makes advanced threat detection and incident response capabilities financially feasible for systems operating on extremely tight budgets.

Furthermore, the MSSP model is structured to provide ongoing compliance support, helping utilities meet evolving regulatory mandates established by the Environmental Protection Agency (EPA) concerning drinking water safety and security.

This formalized structure is essential for long-term critical infrastructure protection across the United States.

Expert Insight

“Franklin proved that the cybersecurity community is willing and able to show up for the most under-resourced parts of our critical infrastructure. The next challenge is sustainability. Tarah Wheeler brings exactly the technical depth, governance expertise, and real-world perspective needed to build a managed security model that actually works for water operators on the ground.”, Jake Braun, Co-founder of DEF CON Franklin

The Expanding Threat Landscape Justifies the New MSSP Model

The urgency driving the new MSSP model stems directly from verified increases in attacks targeting water utilities. These threats are no longer theoretical incidents.

Data compiled by the Water Watch Center confirms that sophisticated nation state groups and organized cybercriminals are actively probing operational technology (OT) systems. Protecting drinking water safety requires immediate action.

Journalist Jonathan Greig, writing for Recorded Future News, has extensively documented the shift in attacker focus. They are moving from corporate data theft toward physical disruption of essential services.

Successful cyberattacks water systems pose severe public health risks, demanding rapid incident response and regulatory action from the Environmental Protection Agency (EPA). This underscores the necessity for robust critical infrastructure protection.

Protecting our water supply is fundamentally a matter of national security. Small utilities are often the weakest link, and we are closing that gap by making high-end security accessible and manageable, stated Tarah Wheeler, Senior Fellow at the Harris Cyber Policy Initiative (CPI).

This proactive initiative, evolving from the DEF CON Franklin cyber volunteer effort, ensures that small water utilities have access to high-caliber cybersecurity expertise. Leaders like Jake Braun recognize that regions from Arizona to Vermont must gain parity with major metropolitan areas.

The MSSP is specifically designed to deliver continuous cybersecurity, including 24/7 threat detection and rapid incident response. This service structure, supported by organizations like the National Rural Water Association (NRWA), allows utility managers to focus on delivering safe water rather than constantly monitoring for threats.

Expert Insight

“Protecting our water supply is fundamentally a matter of national security. Small utilities are often the weakest link, and we are closing that gap by making high-end security accessible and manageable.”, Tarah Wheeler, Senior Fellow at the Harris Cyber Policy Initiative (CPI)

Frequently Asked Questions

What is the primary difference between this MSSP model and standard Managed Security Service Providers?

The key difference is calibration. This specialized MSSP model is designed specifically for the limited budgets and staffing constraints of rural water utilities and small water systems.

Unlike general business cybersecurity services, this framework prioritizes monitoring Operational Technology (OT) environments, the systems that manage pumps and treatment. It also provides crucial compliance support specific to Environmental Protection Agency (EPA) guidelines and water sector standards, which standard providers often overlook.

How does the MSSP handle Incident Response and Threat Detection?

The framework emphasizes robust incident response (IR) protocols supported by continuous cybersecurity monitoring. Once threat detection occurs (often utilizing threat intelligence gathered by partners like the Water Watch Center), the MSSP team immediately isolates the compromised system.

They alert utility management, initiate forensic analysis, and deploy recovery procedures. This structured approach, championed by experts involved in the DEF CON Franklin cyber volunteer effort, minimizes downtime and ensures the protection of drinking water safety.

Which organizations and individuals are supporting this critical infrastructure protection effort?

Key institutional supporters include the National Rural Water Association (NRWA), which provides outreach to small water utilities, and the Harris Cyber Policy Initiative (CPI) at the University of Chicago.

The initiative is rooted in the cyber volunteer effort led by figures such as Jake Braun and Tarah Wheeler. Financial stability, essential for offering high-quality critical infrastructure protection services nationwide, is backed by philanthropic sources, including prominent support from Craig Newmark.

Why are rural water utilities targeted by Nation State Groups and Cybercriminals?

Rural water utilities often rely on legacy infrastructure and typically lack dedicated cybersecurity expertise, making them easier targets for reconnaissance or disruption by nation state groups and organized cybercriminals.

While a single successful cyberattack on a small water system in, for example, Arizona or Oregon may not cripple the entire United States, the cumulative effect of these disruptions, causing public fear and demonstrating vulnerability in critical infrastructure protection, serves the strategic goals of these foreign actors. The MSSP model aims to close this vulnerability gap.

How is this MSSP model affordable for small water utilities?

The financial model is designed to be accessible to small water utilities. By leveraging philanthropic backing and streamlining the service scope to focus strictly on essential threat detection and vulnerability management, the MSSP offers continuous cybersecurity services at a fraction of the cost charged by traditional providers.

Utility managers are encouraged to contact the NRWA for specific pricing tiers based on system size and complexity. This approach aims to democratize high-quality cybersecurity expertise for every provider, regardless of budget.

References

Tags:

Thomas Ballard

Thomas E. Ballard, aka “The Groundwater Guy” is a consulting hydrogeologist with over 35 years experience. He is a registered Professional Geologist in California and Tennessee and Certified Hydrogeologist in California. His work focuses mainly on water resources development for small water districts and groundwater contamination issues.

Leave a Reply